Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

RSS

secret (1) Versions 1.0.0

Managing secrets in Chef recipes

Berkshelf
Policyfile
Knife 
cookbook 'secret', '~> 1.0.0'
cookbook 'secret', '~> 1.0.0', :supermarket
knife supermarket install secret
knife supermarket download secret
README
Dependencies
Quality 50%

secret cookbook

Managing secrets in Chef recipes.

Usage

secret = ::ChefCookbook::Secret::Helper.new(node)
secret.get('postgres:password:root')  # supersecretpassword

Approach

If you use Chef encrypted data bags for storing secrets (passwords, API keys etc.), you might have written some code like this below:

secret_val = data_bag_item(DATA_BAG_NAME, DATA_BAG_ITEM_NAME)[SUBKEY_1][SUBKEY_2][SUBKEY_3]

Assuming you have several servers (Chef nodes) and various environments (development, staging, production), the scheme below is good enough for managing secrets for all assets in one repository:

  1. DATA_BAG_NAME stands for a category. E.g. postgres for stroring all PostgreSQL server user passwords.
  2. DATA_BAG_ITEM_NAME stands for an environment. E.g. staging.
  3. SUBKEY_1 (in fact, all top-level keys within JSON associated with a particular data bag item) stands for server (Chef node) FQDN.

With that in mind, the postgres::staging data bag item JSON will contain the following data:

{
  "id": "staging",
  "db1.example.com": {
    "password": {
      "root": "reallystrongpassword1"
    }
  },
  "db2.example.com": {
    "password": {
      "reallystrongpassword2"
    }
  }
}

In order to obtain the necessary password while provisioning server db1.example.com, you can write in your recipe:

postgres_pwd = data_bag_item('postgres', node.chef_environment)[node['automatic']['fqdn']]['password']['root']

secret cookbook will make the difference:

secret = ::ChefCookbook::Secret::Helper.new(node)  # initialize once in a recipe
postgres_pwd = secret.get('postgres:password:root')

You only need to pass DATA_BAG_NAME and subkeys, excluding environment and FQDN values (they are detected automatically).

Advanced usage

secret_val = secret.get(query, options)

where query is a string and options is a Ruby Hash.

default option

secret.get will return a default value in case there is no one defined in a data bag item.

required option

Whether a value must be defined in a data bag item or by a default option. By default is true. A provision process will fail if a required value is not defined in a data bag item and there is no default value.

item option

Overrides DATA_BAG_ITEM_NAME. By default it equals node.chef_environment.

prefix_fqdn option

Whether or not prepend server (Chef node) FQDN to the query. By default is true. When the value is false, your data bag item JSON should look like this:

{
  "id": "staging",
  "password": {
    "root": "reallystrongpassword1"
  }
}

This may be suitable for environments with a single node or several nodes with shared secrets.

Not only can this option be customised in a server.get call, but it may also be changed globally with node['secret']['prefix_fqdn'] attribute (true by default).

Examples

val1 = secret.get('postgres:password:user', default: nil)
val2 = secret.get('aws:s3:access_key', prefix_fqdn: false)

License

MIT @ Alexander Pyatkin

Dependent cookbooks

instance ~> 2.0.0

Contingent cookbooks

nsd Applicable Versions
nsd 0.1.0
nsd 0.2.0
nsd 0.3.0
sockd Applicable Versions
sockd 0.1.0
sockd 0.1.1

Collaborator Number Metric 
            
1.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric 
            
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric 
            
1.0.0 passed this metric

No Binaries Metric 
            
1.0.0 passed this metric

Publish Metric 
            
1.0.0 passed this metric

Supported Platforms Metric 
            
1.0.0 failed this metric
secret should declare what platform(s) it supports.

Testing File Metric 
            
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric 
            
1.0.0 passed this metric

Alexander Pyatkin Alexander Pyatkin

Details

View Source View Issues

Updated November 10, 2017 Created on

Platforms

License

MIT

Download Cookbook